Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall2 and Reverse Masq HELP !
  • From: "Chris de Orla" <cdeorla@xxxxxxxxx>
  • Date: Tue, 16 Sep 2003 05:44:25 -0400
  • Message-id: <002501c37c37$1d986d00$640118ac@xxxxxxxxxxxxxx>
No luck !

Just to confirm the last message, I should have the following:

FW_DEV_EXT="eth1" (this is a public address -lets say eee.eee.eee.1)
FW_DEV_INT="eth0" (this is a private address -lets say
iii.iii.iii.1)
FW_DEV_DMZ="eth2" (this is also a private address -lets say
ddd.ddd.ddd.1)
FW_MASQ_NETS= iii.iii.iii.0/24 ddd.ddd.ddd.0/24

FW_FORWARD="0/0,ddd.ddd.ddd.2" (ddd.ddd.ddd.2 is
the mailserver on the far side of the DMZ)

FW_FORWARD_MASQ="0/0,ddd.ddd.ddd.2,tcp,25"

The rest, although not needed, shouldn't matter (FW_SERVICE_*_*) if there or
not.

When I did this, I still get an ACCEPT message in the syslog but no
connection through to the DMZ postfix server.

Does it matter if an application on the firewall using port 25 is running
also ? I can telnet from the firewall to the DMZ on port 25. I can telnet
from the DMZ to port 25 on the firewall (not really used or usefull but it
is open).

Connections from the outside, the message in the syslog is SuSE_FW_ACCEPT
versus how I had it before. (FW_FORWARD_MASQ to an internal ip gave a
SuSE_FW_ACCEPT_REVERSE_MASQ in the syslog)

@$%$U*^&*&^*^(&*( HELP !!!!!!!




> ----- Original Message -----
> From: "Thomas Schweiger" <El_Don@xxxxxxxxxxxxxxx>
> To: <suse-security@xxxxxxxx>
> Sent: Monday, September 15, 2003 5:25 PM
> Subject: Re: [suse-security] SuSEfirewall2 and Reverse Masq HELP !
>
>
> > On Mon, 15 Sep 2003, Chris de Orla wrote:
> >
> > > I want to reverse masquerade on port 25 from the internet to a DMZ
> address.
> >
> > [...]
> >
> > > If I make the reverse-masq to something on the internal network, it
> connects
> > > no problem, anything on the DMZ does not and no failures in syslog.
> > >
> > > What am I missing here ?
> > >
> > > I am running SuSE 7.3 and iptables 1.2.8
> > >
> > > Below is my firewall2.rc.config :
> > >
> > > FW_DEV_EXT="eth1"
> > > FW_DEV_INT="eth0"
> > > FW_DEV_DMZ="eth2"
> >
> > eth2:
> > Is it a private net-address? (e. g. 192.168.0.1 = yyy.yyy.yyy.yyy)
> >
> > > FW_ROUTE="yes"
> > > FW_MASQUERADE="yes"
> > >
> > > FW_MASQ_DEV="$FW_DEV_EXT"
> > > FW_MASQ_NETS="xxx.xx.x.x/24"
> >
> > I asume xxx.xxx.xxx.xxx as your private LAN net-address? (e. g.
> > 192.168.1.1)
> >
> > You should include yyy.yyy.yyy.yyy/aa or at least the ports the DMZ
should
> > reach in the internet.
> >
> > > FW_PROTECT_FROM_INTERNAL="yes"
> > > FW_AUTOPROTECT_SERVICES="yes"
> > >
> > > FW_SERVICES_EXT_TCP="123 25"
> > ^^^^
> > You don't need this, because the service (smtpd) is not running on the
> > firewall.
> >
> > > FW_SERVICES_EXT_UDP="123"
> > > FW_SERVICES_EXT_IP=""
> > > FW_SERVICES_DMZ_TCP="25"
> > ^^^^
> > Here the same. You don't need this.
> >
> > > FW_SERVICES_DMZ_UDP=""
> > > FW_SERVICES_DMZ_IP=""
> > > FW_SERVICES_INT_TCP="22 123 25 10000"
> > ^^^^
> > And again.
> >
> > > FW_SERVICES_INT_UDP="123"
> > > FW_SERVICES_INT_IP=""FW_TRUSTED_NETS="xxx.xx.x.x/24"
> > >
> > > FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
> > > FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
> > >
> > > FW_SERVICE_AUTODETECT="yes"
> > > FW_SERVICE_DNS="no"
> > > FW_SERVICE_DHCLIENT="no"
> > > FW_SERVICE_DHCPD="no"
> > > FW_SERVICE_SQUID="no"
> > > FW_SERVICE_SAMBA="no"
> > >
> > > FW_FORWARD=""
> >
> > Here you have to put in the services which should be routed from LAN to
> > DMZ (in general packets from private network to private network or from
> > official IPs to official IPs which don't need NAT oder DNAT)
> >
> > > FW_FORWARD_MASQ="0/0,y.y.y.y,tcp,25"
> >
> > This should be ok, if y.y.y.y is a private IP-address in the DMZ.
> >
> >
> > All the FW_*_*-parameters are just for this case, if the services are
> > running _ON_ the firewall.
> >
> > >
> > > #
> #
> > >
>
#-------------------------------------------------------------------------#
> > > #
> #
> > > # EXPERT OPTIONS - all others please don't change these!
> #
> > > #
> #
> > >
>
#-------------------------------------------------------------------------#
> > > #
> #
> >
> > [...]
> >
> > Best regards,
> > Thomas Schweiger
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here
> >
>


< Previous Next >
This Thread
  • No further messages